[THIN] Re: OT: Exchange Server Spamming
- From: "Nick Smith" <nick@xxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 1 Mar 2004 19:28:24 -0000
When we've had this problem in the past, it has taken literally hours
and hours for the server to settle down after switching off NDRs -
sorry, I shouold have mentioned that earlier. I suspect that spammers
include some of their own addresses to check whether you're avaialble
for this sort of attack. We often see an ongoing trickle for a while
afterwards.
Nick
-----Original Message-----
From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=20
Sent: 01 March 2004 19:24
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Exchange Server Spamming
I knew about reverse NDR and thought that would be the case, but when
I switched off NDR's, it still happened. I'm wondering if there wasn't
some backlog that happened on the Exchange server to fill the queue back
up once I had emptied it, thereby leading me to conclude that the
problem was emanating from the Exchange server itself. What I had done
was:
- disconnect from the network
- stop Exchange IMC
- rename the IMCDATA folder to IMCDATA.OLD
- start the Exchange IMC
I downloaded 3 post-SP4 Exchange 5.5 patches and installed them. That
seemed to actually slow it down to maybe one message every few seconds
in the queue, but that could have been coincidence.=20
I downloaded CMS's Praetor eval version, installed it on my laptop,
and routed all mail through my laptop. This software protects you from
reverse NDR by allowing you to specify a list of valid recipients. Once
it was in place, the outbound SMTP queue stopped filling with spam. In
looking at the log, though, it wasn't stopping reverse NDR, but relay
off the server. I know for a fact the relay is closed (there is NO
relay, even for authenticated users, etc.), and as far as I can tell,
Exchange is fully patched, so I don't really know what to make of it.=20
JD
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Smith
> Sent: Monday, 1 March 2004 8:22 p.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
>=20
> Jeff - It's being used for Reverse Spam. The idea is that you send out
> a bunch of spam to a server from valid email addresses; your server=20
> then sends an NDR to the addresses, thus delivering the spam. Swithc=20
> off NDRs to stop this.
> NIck
>=20
> -----Original Message-----
> From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D20
> Sent: 01 March 2004 05:26
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: Exchange Server Spamming
>=20
> I have a customer with an NT4 Small Business Server with Exchange 5.5=20
> SP4.
> The outbound SMTP queue is filling with undelivered mail, indicating=20
> that the server is being used to spam. The server is definitely not an
> open relay (tested myself and through ORDB.ORG), and doesn't allow=20
> *any* SMTP relay.
> I've found that the outbound queue on this server fills up even if=20
> it's disconnected from the network, which tells me that the server=20
> itself is generating the mail. It's got Norton Antivirus with the=20
> latest definitions, and I've scanned it with Trend's online virus=20
> scanner. I don't find any viruses at all. I've looked at the processes
> for processes that are using a bunch of CPU time, but don't see=20
> anything obvious. Any ideas? TIA.
> =3D20
> JD
>=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential applications to=20
> eliminate your printing, policy and profile, and your application=20
> management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
> use the below link:
> http://thin.net/citrixlist.cfm
>=20
>=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential applications to=20
> eliminate your printing, policy and profile, and your application=20
> management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
> use the below link:
> http://thin.net/citrixlist.cfm
>=20
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential applications to
eliminate your printing, policy and profile, and your application
management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
